CVE-2019-16777Path Traversal in CLI

CWE-22Path TraversalCWE-269Improper Privilege ManagementCWE-20Improper Input Validation10 documents7 sources
Severity
6.5MEDIUMNVD
CNA7.7
EPSS
0.3%
top 43.71%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
NPM CLINpmjs NPMFedoraproject Fedora+4 more
Timeline
PublishedDec 13
Latest updateJan 6

Description

Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

CVEListV5npm/cli< 6.13.4
NVDnpmjs/npm< 6.13.4
npmnpmjs/npm< 6.13.4
Debiannpmjs/npm< 6.13.4+ds-2+3
NVDopensuse/leap15.1

Also affects: Fedora 31, Enterprise Linux 8.0, 8.1

🔴Vulnerability Details

4
GHSA
npm Vulnerable to Global node_modules Binary Overwrite2019-12-13
OSV
CVE-2019-16777: Versions of the npm CLI prior to 62019-12-13
OSV
npm Vulnerable to Global node_modules Binary Overwrite2019-12-13
CVEList
Arbitrary File Overwrite in npm CLI2019-12-13

📋Vendor Advisories

2
Red Hat
npm: Global node_modules Binary Overwrite2019-12-12
Debian
CVE-2019-16777: npm - Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Over...2019

💬Community

3
Bugzilla
CVE-2019-16777 nodejs: Global node_modules Binary Overwrite via npm CLI [fedora-all]2020-01-06
Bugzilla
CVE-2019-16777 npm: Global node_modules Binary Overwrite2020-01-06
Bugzilla
CVE-2019-16777 nodejs: npm: Global node_modules Binary Overwrite [epel-all]2020-01-06
CVE-2019-16777 — Path Traversal in NPM CLI | cvebase